Skip to content

Usage

Jump to bottom
deadc0de edited this page Dec 12, 2017 · 11 revisions

Content:

Target specification

Targets can be provided either directly on the command line separated by a comma or through a file. There's two main types of target: IP (a valid IPv4 address) or domain (a valid domain).

Each target (either on the CLI or through a file) can be specified in different flavors:

  • (-f|-F) 1.1.1.1 - an IPv4 adddress
  • (-f|-F) 1.1.1.1:123 - an IPv4 address and a port
  • (-f|-F) 1.1.1.1/24 - a CIDR range
  • (-f|-F) 1.1.1.1:123/24 - a CIDR range on a port
  • (-d|-D) test.com - a domain
  • (-d|-D) test.com:123 - a domain on a port

Each of the above can have an additional argument added with a + separator. It must be added to the end. This argument can be used within a fingerprinting module by accessing Args#args.tgtarg.

Target distribution

Scannerl will act differently depending on the type of target:

  • for an IP: use as is
  • for a hostname: use as is
  • for a CIDR: sub-divise in /24 (per default, can be change with the -c switch)

Port specification

The port could be specified using three different ways:

  • (1) through <target>:<port> (see above)
  • (2) through the CLI -p <port> switch
  • (3) from the default port defined in the fingerprinting module (-define(PORT, ...) directive in the module source file)

Option (1) overwrites option (2) which overwrites option (3)

Communication with scannerl

Scannerl will listen to a pre-defined UDP port on localhost when started. This specific port can be changed with the option -M --message (providing a port above the max port range will disable this service).

One can then send message to scannerl on this port to trigger specific actions.

  • progress: show the progression of each node
  • abort: abort the scan

Here's an example on how to send a message:

echo -n "abort" | nc -4u -q1 127.0.0.1 57005
echo -n "progress" | nc -4u -q1 127.0.0.1 57005

Debugging

Scannerl allows multiple level of debugging. Those are activated by binary combining their values (see below) and providing the value to the -v switch:

  • level0 (0b 0000 0000): none
  • level1 (0b 0000 0001): fpmodules debug enabled
  • level2 (0b 0000 0010): outmodules debug enabled
  • level4 (0b 0000 0100): broker debug enabled
  • level8 (0b 0000 1000): master debug enabled
  • level16 (0b 0001 0000): scannerl debug enabled
  • level128 (0b 1000 0000): more info (queue size, ...) printed on each debug message

The above list is available with the -V switch.

For example -v 6 would enable the outmodules and broker debugs.

Clone this wiki locally